Improve hardening in tor.service
I suggest that tor.service's hardening implementation be changed. These lines would be replaced:
[Service]
DeviceAllow = /dev/null rw
DeviceAllow = /dev/urandom r
InaccessibleDirectories = /home
ReadOnlyDirectories = /
ReadWriteDirectories = /var/lib/tor
ReadWriteDirectories = /var/log/tor
ReadWriteDirectories = /var/run/tor
ReadWriteDirectories = /proc
With these lines:
PrivateDevices = yes
ProtectHome = yes
ProtectSystem = full
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETUID CAP_SETGID
Using PrivateDevices instead of DeviceAllow's is more secure as it create a totally separate /dev as well as removing the CAP_MKNOD capability.
ProtectHome makes /home inaccessible, equivalent to "InaccessibleDirectories = /home" but (arguably) more comprehensible.
ProtectSystem=full make /usr and /etc read only.
CapabilityBoundingSet reduces the process capability to just what it needs.
See http://www.freedesktop.org/software/systemd/man/systemd.exec.html
This discussion was started at https://bugs.gentoo.org/show_bug.cgi?id=529212 and the suggestion to use the higher level constructs was made by the Gentoo systemd team.
For historical reference, tor.service was added in #8368 (moved)
Trac:
Username: candrews